Why can't I use SSL certs imported via Server Admin in a custom Apache install?
Posted
by
morgant
on Server Fault
See other posts from Server Fault
or by morgant
Published on 2012-04-10T23:15:38Z
Indexed on
2012/04/10
23:31 UTC
Read the original article
Hit count: 433
I've got a couple of Mac OS X 10.6.8 Server web servers that run a custom AMP255 (Apache 2.x, MySQL 5.x, and PHP 5.x) stack installed using MacPorts. We've got a lot of Mac OS X Server servers and generally install SSL certs via Server Admin and they "just work" in the built-in services, however, these web servers have always had SSL certs installed in a non-standard location and used only for Apache.
Long story short, we're trying to standardize this part of our administration and install certs via Server Admin, but have run into the following issue: when the certs are installed via Server Admin and referenced in our Apache conf files, Apache then prompts for a password upon trying to start. It does not seem to be any password we know, certainly not the admin or keychain passwords! We've added the _www
user to the certusers
(mainly just to ensure they have the proper access to the private key in /etc/certificates/
).
So, with the custom installed certs we have the following files (basically just pasted in from the company we purchase our certs from):
-rw-r--r-- 1 root admin 1395 Apr 10 11:22 *.domain.tld.ca
-rw-r--r-- 1 root admin 1656 Apr 10 11:21 *.domain.tld.cert
-rw-r--r-- 1 root admin 1680 Apr 10 11:22 *.domain.tld.key
And the following in the VirtualHost
in /opt/local/apache2/conf/extra/httpd-ssl.conf
:
SSLCertificateFile /path/to/certs/*.domain.tld.cert
SSLCertificateKeyFile /path/to/certs/*.domain.tld.key
SSLCACertificateFile /path/to/certs/*.domain.tld.ca
This setup functions normally.
If we use the certs installed via Server Admin, which both Server Admin & Keychain Assistant show as valid, they're installed in /etc/certificates/
as follows:
-rw-r--r-- 1 root wheel 1655 Apr 9 13:44 *.domain.tld.SOMELONGHASH.cert.pem
-rw-r--r-- 1 root wheel 4266 Apr 9 13:44 *.domain.tld.SOMELONGHASH.chain.pem
-rw-r----- 1 root certusers 3406 Apr 9 13:44 *.domain.tld.SOMELONGHASH.concat.pem
-rw-r----- 1 root certusers 1751 Apr 9 13:44 *.domain.tld.SOMELONGHASH.key.pem
And if we replace the aforementioned lines in our httpd-ssl.conf
with the following:
SSLCertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.cert.pem
SSLCertificateKeyFile /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem
SSLCertificateChainFile /etc/certificates/*.domain.tld.SOMELONGHASH.chain.pem
This prompts for the unknown password. I have also tried httpd-ssl.conf
configured as follows:
SSLCertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.cert.pem
SSLCertificateKeyFile /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem
SSLCertificateChainFile /etc/certificates/*.domain.tld.SOMELONGHASH.concat.pem
And as:
SSLCertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.cert.pem
SSLCertificateKeyFile /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem
SSLCACertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.chain.pem
We've verified that the certificate is configured to allow all applications access it (in Keychain Assistant). A diff of the /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem
& *.domain.tld.key
files shows the former is encrypted and the latter is not, so we're assuming that Server Admin/Keychain Assistant is encrypting them for some reason.
I know I can create an unencrypted key file as follows:
sudo openssl rsa -in /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem -out /etc/certificates/*.domain.tld.SOMELONGHASH.key.no_password.pem
But, I can't do that without entering the password. I thought maybe I could export an unencrypted copy of the key from Keychain Admin, but I'm not seeing such an option (not to mention that the .pem
options are greyed out in all export options).
Any assistance would be greatly appreciated.
© Server Fault or respective owner